Date: Fri, 05 Aug 2022 18:38:04 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 265664] Undefined behaviour in sys/netinet/tcp_lro.h Message-ID: <bug-265664-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265664 Bug ID: 265664 Summary: Undefined behaviour in sys/netinet/tcp_lro.h Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: nreilly@blackberry.com union lro_address { u_long raw[1]; struct { uint8_t lro_type; /* internal */ ... }; } __aligned(sizeof(u_long)); #define LRO_RAW_ADDRESS_MAX \ (sizeof(union lro_address) / sizeof(u_long)) There are then a number of functions both in tcp_lro.h and tcp_lro.c that do things like: for (unsigned i =3D 0; i < LRO_RAW_ADDRESS_MAX; i++) { if (pa->raw[i] !=3D pb->raw[i]) This is undefined behaviour. Either the member "raw" should be removed and the iteration over the struct= ure rewritten, or the definition should be improved so that the array size actu= ally encompasses the entire struct. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265664-227>